# harden

Hardening scripts for GNU/Linux

---

### base.sh

- [x] mount options
- [x] hide PID's
- [x] umask
- [x] disable root login
- [x] sysctl options
- [x] ssh client and server options
- [x] setup base firewall rules
- [x] harden password hashing

### Explanation

- **initScript**<br>
Set values to control what functions are executed 0=off 1=on<br>
[sh-bible](https://github.com/dylanaraps/pure-sh-bible#escape-sequences)

- **cleanBackup**<br>
Remove temporary directory

- **whatOS**<br>
Check for line ID=XXX in file /etc/os-release that normally comes with most of distros.<br>
If file is not present, script won't install any new packages<br>
man os-resources

- **disableRoot**<br>
Change root shell to nologin which doesn't allow for root user to login into shell.<br>
You can still get root rights by using sudo|man nologin|

- **setUmask**<br>
Umask value changes permission of newly created files, This script changes<br>
the value so that new files are not readable by users other than the owner and<br>
sudo to create files with read permissions for other users so system won't break<br>
when editing config files

- **hardenFstab**<br>
Appends hardened options for certain partitions<br>
noexec - disables possibility of executing binaries<br>
nodev - disables functionality of devices in partition<br>
nosuid - disables option of executing as certain User ID<br>
hidepid - hides process ID's not created by the owner<br>
<br>
Also it appends new options if not present, like:<br>
/dev/shm as tmpfs<br>
/dev as devtmpfs<br>
/tmp as tmpfs<br>
and hardens their mount options<br>

- **hardenSysctl**<br>
Copies already hardened sysctl config to desired directory<br>
and applies those options<br>

- **hardenBoot**
Appends hardened options to mitigate certain cpu vulnerabilities<br>
Also there is option mitigations=auto, but it's slightly less secure, because<br>
some mitigations are lowered from performance concerns<br>

lsm=lockdown - enables linux security module (lockdown) and sets it to confidentality<br>
init_on_alloc=1 - Fill newly allocated pages and heap objects with zeroes
init_on_free=1 - Fill freed pages and heap objects with zeroes
page_alloc.shuffle=1 - Tell allocator to randomize free lists,
slab_nomerge - Disable merging of [slabs](https://en.wikipedia.org/wiki/Slab_allocation) with similar size
vsyscall=none - And disable [vsyscalls](https://web.archive.org/web/20200526182112/https://lwn.net/Articles/446528/) due to their history of making exploits easier.
slub_debug=F - enables sanity checks in the SLUB allocator.
randomize_kstack_offset=1 - This provides [kernel stack randomization](https://web.archive.org/web/20210426000047/https://lore.kernel.org/kernel-hardening/20210401232347.2791257-4-keescook@chromium.org/), making some memory corruption attacks more difficult.

- **limitsConf**
Disables [core dumps](https://linux-audit.com/understand-and-configure-core-dumps-work-on-linux/) and limits numer of [processes](https://wiki.archlinux.org/title/Limits.conf) created by a user

- **setupFirewall**
**WARNING -> Put your main internet device inside of DEV variable**<br>

